CVE-2021-4034

CVE-2021-4034

Name

CVE-2021-4034

Description

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
MISC	https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
MISC	https://bugzilla.redhat.com/show_bug.cgi?id=2025869
MISC	https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
Exploit	http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html
Third Party Advisory	http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html
Third Party Advisory	https://www.suse.com/support/kb/doc/?id=000020564
MISC	https://www.oracle.com/security-alerts/cpuapr2022.html
Third Party Advisory	https://cert-portal.siemens.com/productcert/pdf/ssa-330556.pdf
Exploit	https://www.secpod.com/blog/local-privilege-escalation-vulnerability-in-major-linux-distributions-cve-2021-4034/
Third Party Advisory	https://www.starwindsoftware.com/security/sw-20220818-0001/
Exploit	https://www.vicarius.io/vsociety/posts/pwnkit-pkexec-lpe-cve-2021-4034
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-4034

Type

URI

MISC

https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

MISC

https://access.redhat.com/security/vulnerabilities/RHSB-2022-001

MISC

https://bugzilla.redhat.com/show_bug.cgi?id=2025869

MISC

https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683

Exploit

http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html

Third Party Advisory

http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html

Third Party Advisory

https://www.suse.com/support/kb/doc/?id=000020564

MISC

https://www.oracle.com/security-alerts/cpuapr2022.html

Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-330556.pdf

Exploit

https://www.secpod.com/blog/local-privilege-escalation-vulnerability-in-major-linux-distributions-cve-2021-4034/

Third Party Advisory

https://www.starwindsoftware.com/security/sw-20220818-0001/

Exploit

https://www.vicarius.io/vsociety/posts/pwnkit-pkexec-lpe-cve-2021-4034

134c704f-9b21-4f2e-91b3-4a467353bcc0

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-4034

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:polkit_project:polkit::::::::`	polkit	== None	== None
`cpe:2.3:a:polkit_project:polkit::::::::`	polkit	>= None	< 121

CPE URI

Source package

Min version

Max version

cpe:2.3:a:polkit_project:polkit:*:*:*:*:*:*:*:*

polkit

== None

cpe:2.3:a:polkit_project:polkit:*:*:*:*:*:*:*:*

polkit

>= None

< 121

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
polkit	edge-community	127-r2	team/alpine-desktop <achill@achill.org>	fixed
polkit	edge-community	127-r1	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	edge-community	127-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	edge-community	126-r1	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	edge-community	126-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	edge-community	125-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	edge-community	124-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	edge-community	123-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	edge-community	122-r5	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	edge-community	122-r4	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	edge-community	122-r3	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	edge-community	122-r2	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	edge-community	122-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	edge-community	121-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	edge-community	0.120-r2	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	edge-community	0.119-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
polkit	3.23-community	126-r1	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	3.22-community	126-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	3.22-community	125-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	3.22-community	0.120-r2	None	fixed
polkit	3.22-community	0.119-r0	None	possibly vulnerable
polkit	3.21-community	0.120-r2	None	fixed
polkit	3.20-community	124-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	3.20-community	0.120-r2	None	fixed
polkit	3.19-community	123-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	3.19-community	0.120-r2	None	fixed
polkit	3.18-community	122-r5	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	3.18-community	0.120-r2	None	fixed
polkit	3.17-community	122-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
polkit	3.17-community	0.120-r2	None	fixed
polkit	3.12-main	0.116-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages